A team of researchers fromKU Leuven Universityin Belgium, recently brought to light a family of critical vulnerabilities which concern theecosystem of Bluetooth audio accessoriescollectively called WhisperPair. These security flaws exploit weaknesses inherent in the implementation of Google Fast Pairtechnology designed to facilitate instant synchronization between devices and accessories (true-wireless earphones, headphones And speaker), transforming a feature designed to make life easier for the user into a potential cyber attack vector.
Studies conducted by researchers indicate that the problem is not limited to a single manufacturer, but represents a systemic failure involving hundreds of millions of devices currently on the market, including flagship products such as Google Pixel Buds Pro 2headphones Sony of the series WH-1000XM (including versions XM4, XM5 and the XM6) and products from brands such as OnePlus And Nothing. According to researchers, an attacker who is within range of 14 meters can force pairing with the victim’s headphones, earphones or speakers without any physical interaction and without the user even being aware of it. Once the connection is established, the attacker gains complete control of the accessory, being able to play sounds at high volume, intercept ambient audio via the integrated microphone or, an even more insidious scenario, track the victim’s physical location using the global network Find Hub by Google.
It is crucial to highlight that this vulnerability lies in the firmware of the accessory itself and not in the smartphone: this means that iPhone users who use these headphones are also exposed to the same risk, and the only definitive solution is not to update the phone or deactivate Bluetooth, but install specific firmware updates issued by the manufacturers of the audio accessories in question.
WhisperPair: how insidious the flaw is
Going into the technical merit of how the WhisperPair attack developswe need to take a step back and broadly understand how the communication protocol between devices works. Normally, to start the procedure Fast Paira “seeker” device (such as a smartphone) sends a message to a “provider” device (the audio accessory) indicating its intention to pair. According to security specifications, the provider device should ignore such requests if it has not been explicitly placed in “pairing mode” by the user (usually by pressing a physical button). The researchers, however, found that «many devices fail to enforce this control in practice, allowing unauthorized devices to initiate the pairing process». An attacker, using common hardware (a laptop, a Raspberry Pi, etc.) and placing himself within a range of 14 meterscan exploit this lack of verification to establish a standard Bluetooth connection in a median of only 10 secondscompletely bypassing user consent.
The implications for privacy become even more delicate if we consider theintegration with Google’s Find Hub network, the system used to find lost devices through crowdsourced geolocation. The protocol requires that, upon first pairing with an Android device, an “account key” is written on the accessory which establishes ownership. If the victim Use the headphones only with non-Android devices (for example an iPhone or a PC) or has never associated them with a Google account on an Android device, the accessory remains without a registered owner. In this scenario, the attacker can inject his own key, registering himself as the legitimate owner. From that moment on, it can monitor the victim’s movements through the Find Hub network. Although the system can send a notification of “unwanted tracking” to the victim after a few hours or days, it will paradoxically point to the victim’s device as the source, leading the user to dismiss the warning as a software error, while the tracking continues undisturbed.
The gravity of the situation is amplified by the fact that these devices have passed both the manufacturers’ quality controls and Google’s certification process, highlighting a flaw in the industrial-level security verification chain. Google, informed of the problem inAugust 2025after classifying the vulnerability as critical (CVE-2025-36911), could be “work with your ecosystem partners to release security patches». At least, this is what we read in the report drawn up by the researchers.
How to protect yourself from cyber attacks
To effectively protect yourself from WhisperPair, it is imperative to understand that updating your smartphone’s operating system, be it Android or iOS, does not solve the root problem. Even restoring the headphones to their factory settings isn’t a solution, as it only removes the existing pairings but doesn’t fix the code flaw that allows the intrusion. The only real defense consists infirmware update of the vulnerable accessory. This is the advice that security researchers themselves give:
The only way to resolve this vulnerability is to install a software update released by the accessory manufacturer. While many manufacturers have released patches for affected devices, software updates may not yet be available for all vulnerable devices. We encourage researchers and users to check patch availability directly with the manufacturer.
